Refreshing an access token

cat · October 12, 2020, 8:50pm

According to the spec https://tools.ietf.org/html/rfc6749#section-6 “The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.”

It appears that in my Okta tenant, I am NOT getting back a new refresh token when I use the refresh_token grant type to get a new access token from the /token endpoint. Is this the default behavior of Okta? Is it configurable somewhere in the admin portal?

vijet · October 12, 2020, 9:40pm

Hi @cat,

The key word in the spec is “MAY”. It’s not a “MUST”.
Okta doesn’t generate a new refresh token each time the /token endpoint is called.
The default and only behavior currently is to use the same refresh token until it expires.

cat · October 12, 2020, 10:42pm

@vijet Sounds good, thank you for clarifying! I think that should be called out in the documentation

vijet · October 13, 2020, 3:56am

Thank you for pointing it out. We will update the documentation

system · October 14, 2020, 3:56am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Not receive a new refresh token Questions	4	3133	January 6, 2021
The grant was issued for another authorization server & how long do refresh tokens last? Questions	5	6255	April 5, 2019
Refresh token question Questions	2	4454	January 18, 2024
Refresh Token change? OAuth/OIDC	4	6235	December 20, 2017
Refresh token for idp auth? Questions	2	4863	March 6, 2018

Refreshing an access token

Related topics